Coinbase warns of up to $519 million hacking, rocking company that led crypto into mainstream

San Francisco – On the long list of crypto companies that have been hacked, there are plenty of examples of financial losses that are much more painful than what Coinbase Global appears to be facing from the attack it disclosed on May 15.

Yet this one stands out for significance far beyond the US$400 million (S$519 million) the company expects it will cost: This time, the victim was arguably the most influential US company in the industry. 

Coinbase is the firm that led the digital asset industry’s march into the mainstream financial system as the first publicly traded crypto exchange. It is the company that safeguards the lion’s share of the US$122 billion worth of tokens owned by spot-Bitcoin exchange-traded funds (ETFs). And it is the firm that did much of the heavy lifting when it came to the industry’s campaign spending spree to send a platoon of pro-crypto lawmakers to Washington in 2025. 

Indeed, the revelation of the hacking comes just three days after the company’s crowning achievement in mainstreaming crypto with its

addition to the S&P 500 Index

, a development that will land its shares into trillions of dollars worth of retirement plans and other investment products that track the benchmark gauge.

The hacking, plus subsequent news of a lingering Securities and Exchange Commission (SEC) investigation into how the company reported its number of users, sent the shares down more than 7 per cent on May 15.

Less than 1 per cent of the exchange’s monthly transacting users were affected, Coinbase said on May 15. In addition to ramping up security controls for those affected, Coinbase said it would reimburse in full anyone who lost money.

Instead of paying the ransom, the exchange is offering a US$20 million bounty to anyone with information leading to the attackers’ arrest and conviction. 

While the company says the Coinbase Prime service that custodies crypto for ETF issuers and services other institutional investors was not affected, the hackers did have near-constant access to some of Coinbase Global’s most valuable customer data since January, according to a person familiar with the incident. 

The hackers’ scheme was brazen, if not especially impressive from a technology standpoint: They bribed customer representatives to steal client data and then demanded a US$20 million ransom to delete it. Coinbase began noticing unusual activity from some of these representatives as far back as January.  

The bribed reps got access to names, dates of birth, addresses, nationalities, government-issued ID numbers, some banking information as well as details about when customer accounts were created and their balances, the person said. This information could be used to attempt to impersonate Coinbase and convince customers to let the hackers into their account. It could also be used to impersonate the victims with other service providers to attempt to convince them to let hackers into other financial accounts they maintain.

For some traders with big balances on the exchange, the incident was alarming for reasons that go beyond the potential financial losses, considering the kidnapping and mutilation of a crypto start-up co-founder earlier in 2025 and reports of other similar incidents.  

“It’s a major breach, the amount of personal information shared is staggering,” said Mr Mike Dudas, managing partner of web3 firm 6MV, who said he was targeted by the Coinbase hackers. “It will make people have to consider their personal physical security, especially with the things happening in France and elsewhere.”

The hackers had bribed enough customer service representatives to achieve effectively on-demand access to Coinbase customer information in the past five months, the person said.

Coinbase chief security officer Philip Martin disputed the assertion of near constant access, saying in an interview with Bloomberg News that the firm pulled the agents’ access as soon as it was discovered that they were improperly sharing information. Therefore, the hackers “did not have persistent access over the course of the entire period”, he said.  

“What these attackers were doing was finding Coinbase employees and contractors based in India who were associated with our business process outsourcing or support operations, that kind of thing, and bribing them in order to obtain customer data,” Mr Martin said.

Coinbase detected the agents, quarantined them and fired them as soon as the company noticed the activity. 

Mr David Jeong, a crypto founder in New York, said he received a text from an unidentified number on April 3, in which he was asked to verify the login for his personal account. He then received another text from a different number on May 4. Mr Jeong said he has not used a one-time password from Coinbase for two years.

In the e-mail, Coinbase recommended that customers ensure they are “regularly monitoring your account, using a strong and unique password”.

Hacking attacks have long plagued the crypto industry, thanks to its heavy reliance on user anonymity and complex digital software. Around US$2.2 billion was lost to such incidents in 2024, according to researcher Chainalysis. Operating under the threat of attack has been particularly painful for crypto exchanges, which are often major targets and face high ongoing costs to maintain tight security. 

This type of so-called social engineering attack – in which criminals use people to gain unauthorised access to data, rather than exploiting flaws in computer code – is a type of threat that has become increasingly popular in crypto, resulting in recent major incidents like the US$1.5 billion hacking of crypto exchange Bybit in February.

“Unfortunately as our nascent industry grows rapidly, it draws the eye of bad actors, who are becoming increasingly sophisticated in the scope of their attacks and harnessing new AI tools and techniques to bypass fraud prevention measures,” said Mr Nick Jones, founder and CEO at crypto technology platform Zumo. “This is understandably a huge blow for a company that has had a pivotal few weeks.” 

Meanwhile, The New York Times reported that the SEC has been investigating whether Coinbase misstated its user numbers in past disclosures as part of an inquiry that began during the Biden administration.

“This is a hold-over investigation from the prior administration about a metric we stopped reporting 2½ years ago, which was fully disclosed to the public,” Mr Paul Grewal, Coinbase’s chief legal officer, said in a statement. “While we strongly believe this investigation should not continue, we remain committed to working with the SEC to bring this matter to a close.” BLOOMBERG